Malware Analysis using Osquery Part 1

Get the latest security news in your inbox.

Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis.

In this blog series, we’ll analyze different malware families, looking at the types of events generated on the endpoint and how we can use Osquery to detect them.

Let's start!

Let’s start by analyzing the famous Emotet Banking Trojan, which is a continuous threat that targets a lot of countries and company sectors (The Evolution of Emotet). The dropper spreads through email phishing and downloads the malware using a malicious Office macro.

As we can see in the sandbox report, the Office macro executes PowerShell with an encoded command to download the payload.

If we run the sample in our environment with Osquery installed, we can build a query to retrieve events generated by PowerShell from the powershell_events table. Osquery reads the Microsoft-Windows-PowerShell eventlog channel, so you need to enable Script block logging.

We can see the encoded PowerShell command and also the script text code generated after decoding the command.

Once PowerShell is downloading the payload, Osquery can log socket connections opened by any process. We can do an easy JOIN between process_open_socket table and processes table to see which processes are making network connections.

It’s interesting to see which files have been written on disk during the payload download. To do so, we can query the file table that stores some useful fields (file table schema). This table needs a WHERE condition to return results, so we can add some filters like Users directory and files created in the last 100 seconds for example.

The downloaded file from PowerShell is a Emotet dropper that extracts the final payload and executes it (squarectx.exe). Now, let’s query the system running processes. Similar to above, we can do a JOIN with users table to see the username column. Some rows have been omitted for a cleaner view.

Now we know that Emotet malware is running in our environment and probably is doing malicious things, so let’s look for signs of malware activity. For that, we reuse the query we used above to see network connections from system processes. Here, we can detect communication to the Command and Control server.

As we have seen, it is possible to analyze malware and extract valuable information using tools like Osquery that give us rich visibility of systems events.

How AlienVault uses Osquery

Osquery allows you to retrieve a wealth of events and useful information from your endpoints. This can be extremely helpful for investigating security incidents as well as threat hunting activities on your critical assets.

AlienVault leverages Osquery through the AlienVault Agent to enable threat hunting in both USM Anywhere and the Open Threat Exchange.

The AlienVault Agent is a lightweight, adaptable endpoint agent based on Osquery and maintained by AlienVault. In USM Anywhere, the AlienVault Agent enables continuous endpoint monitoring, using the built-in AlienVault threat intelligence to automate endpoint queries and threat detection alongside your other network and cloud security events. This allows USM Anywhere to deliver endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

In April, AlienVault introduced the Endpoint Threat Hunter – a free threat-scanning service in Open Threat Exchange® (OTX™) based on the AlienVault Agent. OTX Endpoint Threat Hunter allows anyone to determine if their endpoints are infected with the latest malware or other threats by manually scanning their endpoints for the presence of indicators of compromise (IoCs) that are catalogued in OTX.

Javier Ruiz is a Security Researcher working in AT&T Alien Labs team. He is very passionate about the InfoSec world and loves to do investigation and contribute to the community. Prior to working in security roles he studied Telecommunication Engineering and also has a masters degree in cybersecurity. His main passion is focused on analyzing malware, reverse engineering and learning about new ways of attacking endpoint systems.